Category: The Tor Project

What is your idea?

Emerald Onion is a recently founded ISP/community non-profit organization based in Seattle seeded by a Tor Servers grant and personal donations. Our goal is to expand the privacy community by lowering the cost and learning curve for community organizations in the US to operate infrastructure.

Existing organizations in this space, Calyx and Riseup, have succeeded in rapidly becoming focal points for the community, but are inherently difficult to scale and are most effective in their local geographic communities. Thus, while Riseup has excelled at providing technical software, there is no easy path to establishing similar organizations. We want to change that!

In beginning the process of establishing ourselves, we have been documenting every step of the way. We are already running multiple unfiltered Tor exit nodes, and have both legally vetted abuse letters and educational material for law enforcement published. Now, we want to take this knowledge and export it to other communities. In particular, we want to focus on areas near Internet Exchange Points that are in at least 49 metro locations around the US, which can provide economical pricing and good connectivity for Internet traffic. We hope to spur wider deployment of Tor, onion services, and surrounding privacy technologies by helping other local groups follow our path.

Part of this mission is becoming a focal point for privacy operations work ourselves. Working with researchers at Berkeley, we are contributing to easier handling of abuse complaints. With academics in the Tor community, we are piloting new exit strategies to limit the impact of censorship. With the open source community, we are increasing platform diversity through the use and documentation of HardenedBSD as an alternative software stack. Our trajectory as an organization will include partnering with these organizations to improve usage and deployability, education of other network operators, and increasing our network presence and capacity.

What are your goals / long-term effects?

Our goal is that most major communities in the US have local organizations focused on operating privacy technology. Hackerspaces today are a mixed bag, and are often centered around physical rather than digital creation. Despite the presence of major IXPs, there are many urban centers today without community-driven organizations working to bolster privacy. We envision providing the groundwork and enthusiasm to support a network of ISPs around the country that can rectify this situation. Getting these entities in place will be important underlying infrastructure for future decentralized and federated networks to follow the model of Tor today.

Emerald Onion will directly evangelize operational best practices as it matures as a community organization and fits into the Seattle privacy community. To take advantage of Seattle’s position as one of the largest exchange points in the world, Emerald Onion will actively seek out peering agreements and aim to transit a significant amount of Tor traffic. Through our ISP operations, we hope for two primary longer term effects: First, that we are able to disseminate knowledge of peering agreements to make it significantly easier for other entities to understand how to enter into these negotiations. Second, that we can help Tor and other privacy enhancing networks gain capacity, reliability, and strategies for resilience to censorship. These technologies have focused on their software properties, but there are significant operational and networking challenges that need to be solved in tandem. We believe entities like Emerald Onion are the right complement to help privacy technologies succeed.

How will you do it?

Concretely, Emerald Onion will work to bring at least 10 new, independent, Privacy-focused ISPs into existence within the next 12 months. We will also speak in conferences, and use our existing communication pathways to advertise and publish our work. We will work to find other supporters and help them establish their own organizations. In addition, we will work to make shared support networks, like legal funds, peering databases, and abuse systems to be more accessible to these community groups.

Specifically, we will focus on the following areas of capacity:

Funding and organizational stability strategies

Nonprofit ISP incorporation setup and management

Data center co-location setup and management

ARIN registration and AS and IP scope management

IP transit setup and management

BGP setup and management

Peering agreement setup and management

Legal response setup and management

To stabilize ourselves as a focal point of the Seattle privacy community, Emerald Onion will continue to develop both its own sustainability model, and its infrastructure.

We expect to receive 501c3 status by the end of the year, and have already begun soliciting donations for our general operations. We have had initial success in approaching local members of the community to contribute the funds for one relay worth of cost in exchange for “naming rights” of that node. We believe direct community contributions can provide sustainability, and will complement this income stream with grant funding for growth.

We will also continue to increase our network presence to improve our fault tolerance and gain access to more network peers. Higher capacity will allow us to provide incubation for a larger range of privacy enhancing technologies.

Who is it for?

Emerald Onion is not just for the ~60 million monthly Tor users or the Seattle privacy community. We are not just a testing ground for encountering and solving operational issues in the deployment of privacy technologies. Emerald Onion is strategically developing as a model steward of privacy networks that is focused on quality and integrity. Our actions and relationships further legitimize Tor within communities that operate the backbones of the Internet and will help normalize the use of Tor for business-driven service providers. We will continue to be an inspiration for community groups and other ethically-conscious ISPs alike.

Emerald Onion’s day-to-day work at present focuses on existing and new Tor router operators, who with the organizations that they create will immediately impact public perception. In Emerald Onion’s short existence, we have made direct, personal connections with at least 50 professional network administrators, datacenter operators, and Internet service providers. Imagine that happening in every major IXP community around the United States.

Emerald Onion has paid for professional legal services, and has already published our verified Legal FAQ and abuse complaint responses that are valid within the United States. Similarly, the organization is working with Academics to better understand the operational reality of abuse complaints, and to understand opportunities for making use of the IP space. These services benefit the larger privacy community both operationally, and as an incubator for projects.

What is the existing community?

The Tor relay community is already strong, but lacks strong US-based advocacy for growth. In Europe, TorServers.net has evolved into a grant-giving organization, which is able to provide advice and financial support to help new relays get started, but is not well positioned to support US-based relays. In Canada, Coldhak runs a valuable relay, but has not attempted to export its knowledge to external entities.

In the US, the largest relay presences come from Riseup.net and Calyx networks. Riseup is focused on services like email and VPNs in tandem with important education. This is valuable work, but does not extend to directly advocating for new groups to enter the ISP space. Calyx is supported through a cellular ISP model focusing on end-users but does not focus on supporting new relay operators.

Emerald Onion aims to fill this gap through direct advocacy to guide and support new relay operators and encourage the existence and creation of privacy supporting entities in a diverse set of IXPs around the country.

Complementary Efforts?

The Tor Project itself provides a basic level of support for new entities, particularly with technical support. In addition to a wide-reaching and engaging community, the presence of the Tor-relays mailing list provides a valuable community-wide support network between operators. The EFF has been a long-time supporter of the legal aspects of relay operation, and has helped with several legal papers supporting helping to establish the legal protections of Tor exit operation, along with providing counsel when new legal issues arise. It remains the case that new entities establishing Tor exit nodes in the US face thousands of dollars of legal fees to properly prepare themselves with the needed form letters for abuse and a tricky navigation of legal guidelines to establish themselves as legal entities with the authority to respond to complaints without fear of retribution.

Emerald Onion hopes to fill these gaps by making it easier for others by defining clear direction, freely published in the public domain, so that new operators don’t need to duplicate work that we’ve already performed. Building a shared legal defense fund and sharing how to navigate data center costs and contracts will allow groups to form with much less risk or uncertainty.

Why is it needed?

In building Emerald Onion so far, we have already found that many of the steps we are taking are undocumented, or rely on verbally communicated lore. That situation is not sustainable, and cannot scale or significantly improve the current state of the world.

More organizations are needed that focus on Internet privacy the same way hackerspaces have focused on hardware and technical development. Internet issues are inherently rooted in being part of the Internet and that barrier has so far been a high hurdle for community groups. We believe that this hurdle needs to be lower.

Without active development of these entities, we will continue to see even more centralization of the Internet and continued erosion of neutrality. Retaining a community presence in Internet operations is a key underlying infrastructure that we strongly believe has the potential to change the future development of the Internet.

In this post, we’ll detail how we set up Tor on HardenedBSD. We’ll use HardenedBSD 11-STABLE, which ships with LibreSSL as the default crypto library in base and in ports. The vast majority of Tor infrastructure nodes run Linux and OpenSSL. Emerald Onion believes running HardenedBSD will help improve the diversity and resiliency of the Tor network. Additionally, running HardenedBSD gives us peace of mind due to its expertly crafted, robust, and scalable exploit mitigations. Together, Emerald Onion and HardenedBSD are working towards a safer and more secure Tor network.

This article should be considered a living document. We’ll keep it up-to-date as HardenedBSD and Emerald Onion evolve.

Initial Steps

Downloading and installing HardenedBSD 11-STABLE is simple. Navigate to the latest build and download the installation media that suits your needs. The memstick image is suited for USB flash drives. Boot the installation media.

Select your keymap. If you use a standard US English keyboard, the default is fine:

Choose a hostname:

Select the distribution sets to install:

Choose your filesystem. For purposes of this article, we’ll use ZFS for full-disk encryption:

Selecting the Pool Type will allow you to configure your ZFS pool the way you want. We will just use a single disk in this article:

Since we’re using a single disk, we’ll select the Stripe option:

Select the disks to use in the pool. Only a single disk for us:

After selecting the disks, you’ll go back to the original ZFS setup menu. We’ve made a few changes (Encrypt Disks, Swap Size, Encrypt Swap):

Review the changes:

Set the password on your encrypted ZFS pool:

Validate the password:

Encrypted ZFS will initialize itself:

HardenedBSD will now install distribution sets:

Set the root password:

If you want to set up networking, select the network device to configure. In this article, we’ll set up a dynamic (DHCP) network configuration:

We want to use IPv4:

We want to use DHCP:

It will try to acquire a DHCP lease:

At Emerald Onion, we put IPv6 first. However, in this example article, we won’t use IPv6 as it’s not currently available. So we’ll choose no when prompted to set up IPv6:

Ensure the DNS information is correct and make any changes if needed:

It’s now time to choose the system timezone. Select the region:

We chose America. We’ll choose United States for the country next:

Finally we’ll chose the actual timezone:

Confirm the timezone:

Because we use NTP, we’ll skip setting the date:

We’ll also skip setting the time:

Select the services to start at boot:

Select the system hardening options. HardenedBSD sets options one through five by default, so there’s no need to set them here.

We will go ahead and add an unprivileged user. Make sure to add the user to the “wheel” group for access to use the su program:

Set the user’s details:

HardenedBSD is now installed! Exit the installer. The installer will do things in the background so there may be some delay between exiting and the next prompt:

We don’t want to make further modifications to the installation prior to rebooting:

Go ahead and reboot:

The installation is now complete!

Installing Tor

Installing Tor is simple, too. Once HardenedBSD is installed and you’ve logged in, run the following command:

# pkg install tor

The Tor package on HardenedBSD, and its upstream FreeBSD, currently does not ship with a modified Tor configuration file, which can be found at /usr/local/etc/tor/torrc. Tor isn’t set up to log outside of initial startup messages. You will need to edit the Tor configuration file to suit your needs. Take a look at the tor(1) manpage for all the available configuration options.

In our set up, Tor listens on TCP ports 80 and 443 as an unprivileged user. We need to tell HardenedBSD to allow non-root users to be able to bind to ports that traditionally require root privileges:

Multi-Instance Tor

At Emerald Onion, we run multiple instances of Tor on the same server. This allows us to scale Tor to our needs. The following instructions detail how to set up multi-instance Tor. The same instructions can be used for single-instance Tor.

We named our instances simple names: instance-01, instance-02, instance-03, and so on. Each instance has its own configuration file, located at /usr/local/etc/tor/torrc@${instance_name}. We first set up a template config file:

Then we start Tor. The first time the Tor rc script starts Tor, it will create the data and logging directories for you with the proper permissions.

# service tor start

Keeping HardenedBSD and Tor Up-To-Date

Updating HardenedBSD is simple with hbsd-update. We publish updates for base periodically. Feel free to use hbsd-update as often as you’d like to check for updates to the base operating system.

For example:

# hbsd-update
# shutdown -r now

To update your packages, including Tor, use:

# pkg upgrade

Tor Service Management Basics

The tor rc script uses SIGINT when shutting Tor down. This causes Tor to shutdown in an ungraceful manner, immediately halting connections from clients. Instead of using the traditional service tor stop command, directly issue SIGTERM to the instance you wish to stop.

If you’d like to stop all instances in a graceful way at the same time:

# killall -SIGTERM tor

In a multi-instance setup, you can tell the service command which instance you want to control by appending the instance name (the portion after the @ symbol of the torrc file) at the end of the command. For example, to reload the config file for instance-01, issue the following command:

# service tor reload instance-01

If you want to reload the config file for all instances, simply remove the instance name from the above command. The rc script will issue the reload command across all instances.

If you’d like to look at an instance’s log file, you can use the tail command:

# tail -f /var/log/tor/instance-01/notices.log

Future Work

In the future, we would like to further harden our Tor setup by having each instance deployed in its own HardenedBSD jail. Once that is complete, we will document and publish the steps we took.

Disclaimer: This is not legal advice due to the fact that Emerald Onion is not your lawyer. Further, it is based on laws and court cases in the United States and does not apply to most of the world. If you are planning on becoming an ISP dedicated to transiting Tor traffic, please seek out and maintain active support from your own lawyer.

One of Emerald Onion’s priorities when establishing was to work with professional legal services for specific language when communicating with other organizations negatively impacted by the anonymous Tor traffic that we transit. Another priority is to freely share our work, to help others who take on the cause.

If you value our not-for-profit work, like the information shared here, please keep in mind that we graciously accept donations.

There are three documents that we use for addressing Tor abuse complaints. The first one has been published on our site for over a month, our Legal FAQ. We use this document whenever someone contacts us about any issue that is not a DMCA issue, so it is used a lot. Keep in mind that Emerald Onion only operates full (not reduced) exit relays, so we get lots of infringement related complaints.

The two other documents (below) should be used based on where an abuse complaint is coming from. Most Tor operators are used to working with their upstream ISP directly. This is because these operators lease IP space from their upstream ISP. In this case, it is important to use the “Complaint Forwarded By Your ISP(s)”.

The other way that abuse complaints can come in is directly from third-parties, typically the ones who have recorded your IP address(es) as being the cause of perceived abuse. Emerald Onion went through the process of obtaining our own Autonomous System (AS) number, IPv6 and IPv4 scopes, and because of this, we receive all abuse complaints directly. Third-parties at the other end of the anonymous Tor traffic that we transit only see our contact information in the WHOIS for our IP space, and not the contact information of our upstream providers.

We encourage other Tor operators to replicate our work so that they can directly manage all abuse complaints. Doing so removes a tremendous amount of legal stress from upstream providers. When this is applicable to you, use the “Direct Complaint” document below.

Complaint Forwarded By Your ISP(s)

I am writing on behalf of [Your Organization] in response to the notice copyright below.

[Your Organization] is a [Your State] State-based nonprofit corporation and encrypted transit internet service provider. I would like to assure you that [Your Organization] is neither infringing copyrights nor hosting the claimed infringing materials on behalf of users. The notice is likely based upon misunderstandings about the law and about some of the software we run.

As an initial matter, the faulty copyright notice was triggered by a routing program that we are running on our servers called Tor. The Tor network is a group of volunteer-operated routers on the Internet that helps people enhance their security, privacy, and safety. [Your Organization] only runs Tor traffic through our routers.

Tor bounces communications through routers on the network before sending those packets on to their final destinations. However, Tor tunnels the connections so that no router can learn both the source and destination of the packets, which protects users from nefarious snooping on network traffic. The result is that the final IP address that the recipient receives is not the IP address of the sender.

Tor is valuable because it promotes privacy and free expression around the world. It also protects users against hazards such as harassment, spam, identity theft, price discrimination, and even dissident surveillance by oppressive governments. To learn more about Tor, see https://www.torproject.org/.

[Your Organization] operates Tor exit routers with connectivity to the [Your Internet Exchange Point(s)]. Those routers are only a conduit of online traffic. We are thus protected by the Digital Millennium Copyright Act safe harbor provision of 512(a). That safe harbor also likely protects you, as our ISP, from liability arising from this complaint.

The DMCA creates four “safe harbors” that protect service providers from copyright liability for the acts of their users, provided that the ISPs fulfill certain requirements. 17 U.S.C. § 512. The DMCA’s requirements vary depending on the ISP’s role. You may be familiar with the “notice and takedown” provisions of section 512(c) of the DMCA, which applies to ISPs hosting content on behalf of users. However, those requirements do not apply when an ISP merely serves as a “conduit,” i.e., transmits, routes, or provides for connections through a system or network. The safe harbor of section 512(a) has different and less burdensome eligibility requirements for conduits. SeeRecording Indus. Ass’n of Am., Inc. v. Verizon Internet Servs., Inc., 351 F.3d 1229 (D.C. Cir. 2003); In re Charter Commc’ns, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005).

Under section 512(a), service providers like you are typically protected from damages for copyright infringement claims if you also maintain “a policy that provides for termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers.” If you have and implement such a policy, and you otherwise qualify for the safe harbor, you should be free from fear of copyright damages.

As an organization committed to protecting the privacy of its customers, I hope you’ll agree that Tor is a valuable technology and will continue to support our effort to strengthen the Tor network.

Thank you for working with me on this matter. As a loyal subscriber, I appreciate your notifying me of this issue and hope that the protections of DMCA 512 put any concerns you may have to rest. If not, please contact me with any further questions.

Sincerely,

[Your Name], on behalf of [Your Organization]

Direct Complaint

I am writing on behalf of [Your Organization] in response to the notice copyright below.

[Your Organization] is a [Your State] State-based nonprofit corporation and encrypted transit internet service provider. I would like to assure you that [Your Organization] is neither infringing copyrights nor hosting the claimed infringing materials on behalf of users. The notice is likely based upon misunderstandings about the law and about some of the software we run.

As an initial matter, the faulty copyright notice was triggered by a routing program that we are running on our servers called Tor. The Tor network is a group of volunteer-operated routers on the Internet that helps people enhance their security, privacy, and safety. [Your Organization] only runs Tor traffic through our routers.

Tor bounces communications through routers on the network before sending those packets on to their final destinations. However, Tor tunnels the connections so that no router can learn both the source and destination of the packets, which protects users from nefarious snooping on network traffic. The result is that the final IP address that the recipient receives is not the IP address of the sender.

Tor is valuable because it promotes privacy and free expression around the world. It also protects users against hazards such as harassment, spam, identity theft, price discrimination, and even dissident surveillance by oppressive governments. To learn more about Tor, see https://www.torproject.org/.

As you may know, the DMCA creates four “safe harbors” that protect service providers from copyright liability for the acts of their users, provided that the ISPs fulfill certain requirements. 17 U.S.C. § 512. The DMCA’s requirements vary depending on the ISP’s role. You may be familiar with the “notice and takedown” provisions of section 512(c) of the DMCA, which applies to ISPs hosting content on behalf of users. However, those requirements do not apply when an ISP merely serves as a “conduit,” i.e., transmits, routes, or provides for connections through a system or network. The safe harbor of section 512(a) has different and less burdensome eligibility requirements for conduits. SeeRecording Indus. Ass’n of Am., Inc. v. Verizon Internet Servs., Inc., 351 F.3d 1229 (D.C. Cir. 2003); In re Charter Commc’ns, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005).

[Your Organization] operates Tor exit routers with connectivity to the [Your Internet Exchange Point(s)]. Because [Your Organization] serves as a conduit of online traffic, we fall within the section 512(a) safe harbor, and are not subject to the requirements of section 512(c).

Thank you for working with me on this matter. I hope that the protections of DMCA 512 put any concerns you may have to rest. If not, please contact me with any further questions.

Emerald Onion is researching IXPs in the U.S.A. in order to identify areas of priority as it concerns increasing global Tor network capacity by way of putting Tor routers directly on these highly interconnected networks. Putting Tor exit routers in IXPs, for example, may reduce network latency to end points. It may also reduce network hops, potentially minimizing the possibility of third-party surveillance. Emerald Onion envisions a future where the Tor network is composed of much larger and more stable network operators, globally.

Questions

Are there any Tor routers connected to any United States-based IXPs? If so, which ones and who operates them?

Is this IXP friendly to Tor?

What is the organizational structure of this IXP? Such as corporate-run or community-driven, etc.

What qualities of an IXP should impact how meaningful it would be for the Tor network?